BaFin's DORA Guidance Notes: What Germany's Supervisor Expects and How to Prepare
Germany's Supervisor Raises the Bar
When BaFin speaks, Europe's largest banking market listens. In August 2025, Germany's Federal Financial Supervisory Authority published — alongside broader ESA guidance — its most comprehensive DORA guidance notes to date — a set of supervisory expectations that translate the regulation's principle-based requirements into operationally specific standards for the approximately 2,700 financial entities under German supervision.
The timing was deliberate. The Register of Information submission deadline had passed on April 11, 2025, giving BaFin its first comprehensive view of ICT third-party dependencies across the German financial sector. The TLPT RTS had been published and entered into force. And the first wave of supervisory engagement — desk-based reviews, thematic inquiries, and bilateral discussions — had provided BaFin with sufficient insight into the industry's compliance posture to calibrate its expectations.
What emerged was not a gentle encouragement to continue compliance efforts. It was a detailed set of supervisory priorities that signal where BaFin will focus its examination resources — and where institutions that fall short will face consequences.
The Three BaFin Focus Areas
BaFin's guidance concentrates on three domains where the supervisor has identified systemic gaps across the German financial sector.
1. ICT Concentration Risk in Banking Groups
Germany's banking sector is structurally concentrated. The savings bank network (Sparkassen), the cooperative banking system (Volks- und Raiffeisenbanken), and the major commercial banks all operate through corporate group structures where ICT services are frequently centralized at the group level or outsourced to shared service providers.
BaFin's guidance explicitly addresses this structural reality. The supervisor expects institutions to assess concentration risk not only at the entity level but across the corporate group — including shared ICT infrastructure, common cloud providers, and centralized technology platforms that create correlated failure risk across group members.
This goes beyond Art. 29's concentration risk assessment requirements by explicitly linking group-level ICT dependency to prudential risk. A Sparkasse relying on its central IT provider for core banking, payments, and customer channels has a concentration exposure that BaFin expects to see documented, quantified, and managed — with tested contingency plans for the scenario where the central provider fails.
| BaFin focus area | DORA article | Supervisory expectation |
|---|---|---|
| Group-level ICT concentration | Art. 29 | Quantified concentration assessment across corporate group, not just entity-level |
| Shared service provider dependency | Art. 28-29 | Documented contingency plans for failure of centralized ICT providers |
| Sub-outsourcing chain mapping | Art. 30(2)(a) | Complete visibility into fourth-party dependencies, especially cloud infrastructure |
| Concentration in banking networks | Art. 29(2)(c) | Systemic risk assessment where multiple network members depend on same provider |
2. Third-Party Supervision Intensification
BaFin's guidance signals a significant escalation of third-party risk management expectations. The Register of Information submission provided BaFin with data on thousands of ICT service relationships across the German market. The supervisor is now moving from data collection to data-driven supervision.
Specifically, BaFin expects:
Completeness and accuracy of the Register. Institutions that submitted incomplete or inaccurate registers will face follow-up inquiries. BaFin has the data to cross-reference submissions — if multiple institutions report relationships with the same provider but with materially different service descriptions, the supervisor will investigate.
Contractual compliance with Art. 30. BaFin is reviewing whether existing contracts with ICT third-party service providers meet Art. 30's mandatory contractual provisions. Contracts signed before DORA that lack required clauses — particularly on audit rights, data access, and termination assistance — must be renegotiated.
Exit strategy credibility. BaFin is particularly focused on exit strategies for critical ICT providers. An exit strategy document that has not been tested, that does not identify specific alternative providers, or that assumes migration timelines shorter than any reasonable assessment would support is not credible. BaFin expects institutions to be able to demonstrate — not merely assert — that they can transition away from a critical provider within their stated timeline.
3. The Intentional vs. Negligent Breach Distinction
Germany's transposition of DORA's penalty provisions introduces a distinction that most other member states did not adopt: the differentiation between intentional and negligent breaches. Under Germany's EUR 5 million maximum penalty ceiling, the penalty calculation considers whether the breach resulted from deliberate non-compliance or from inadequate processes, resources, or competence.
This distinction matters operationally. It means that German institutions have a documented defense if they can demonstrate good-faith compliance efforts that fell short, versus those that knowingly failed to implement required measures. It also means that BaFin's examination approach will probe not just whether an institution is compliant, but whether gaps resulted from negligence (potentially lower penalties) or intentional disregard (maximum penalty exposure).
| Penalty factor | Germany (BaFin) | Implications for institutions |
|---|---|---|
| Maximum ceiling | EUR 5 million | Lower than Italy (EUR 20M), higher than Czech Republic (EUR 2M) |
| Intentional vs. negligent | Yes — explicitly differentiated | Good-faith compliance efforts matter for penalty calculation |
| Personal liability | Possible for management body | Board members face individual exposure under Art. 5 obligations |
| Turnover-based alternative | Not primary mechanism | Fixed ceiling applies, not percentage of turnover |
| Aggravating factors | Systemic impact, repeat offenses | Higher penalties for breaches affecting financial stability |
| Mitigating factors | Remediation speed, cooperation | Prompt corrective action reduces penalty exposure |
What the April 2025 Register Submission Revealed
The April 11, 2025 Register of Information deadline was the first mandatory data submission under DORA — and it provided supervisors across the EU with unprecedented visibility into the financial sector's ICT dependency landscape. For Germany, the submission revealed several patterns that directly informed BaFin's August guidance:
Concentrated cloud dependencies. A significant proportion of German financial institutions reported dependencies on the same small number of cloud providers. When viewed in aggregate, the sector's cloud concentration is materially higher than individual institutions may appreciate.
Sub-outsourcing opacity. Many institutions could not provide complete information about their providers' sub-outsourcing chains. The fields in the Register relating to fourth-party dependencies were frequently incomplete, indicating that institutions either lack contractual rights to this information or have not exercised those rights.
Contract modernization gaps. The Register data implicitly revealed the scope of contracts that predate DORA and lack the mandatory provisions of Art. 30. BaFin estimated that a significant share of ICT contracts across the German market require renegotiation to achieve compliance.
BaFin's Examination Methodology
BaFin's DORA examinations will follow a risk-based approach, prioritizing entities based on their systemic importance, ICT dependency complexity, and compliance posture as revealed by the Register submission.
Phase 1 — Desk-based review (ongoing). Analysis of Register of Information submissions, mapping of concentration patterns, identification of entities with elevated risk profiles.
Phase 2 — Thematic inquiries (H2 2025 through 2026). Focused requests for documentation on specific topics: exit strategy documentation, BCP testing results, incident reporting procedures, ICT risk management frameworks.
Phase 3 — On-site examinations (2026 onward). Physical inspections of ICT risk management practices, evidence of testing, audit trail completeness, and RBAC implementation. BaFin has signaled that on-site examinations will increase in frequency and scope during 2026.
The Practical Preparation Checklist
For institutions under BaFin supervision, the August 2025 guidance translates into a concrete preparation agenda:
Immediate (within 30 days):
- Review and update Register of Information submission for completeness and accuracy
- Inventory all ICT contracts with critical or important providers for Art. 30 compliance gaps
- Document group-level ICT concentration exposure with quantified metrics
Short-term (within 90 days):
- Renegotiate contracts that lack mandatory Art. 30 provisions (audit rights, termination assistance, data access)
- Test exit strategies for critical ICT providers — at minimum, tabletop exercises
- Establish or formalize information sharing arrangements under Art. 45
- Brief the management body on BaFin's guidance and the institution's compliance posture
Medium-term (within 180 days):
- Conduct full concentration risk assessment incorporating group-level dependencies
- Map sub-outsourcing chains for all critical ICT providers to at least the fourth-party level
- Run ICT business continuity tests that include critical provider failure scenarios
- Build documented evidence of good-faith compliance efforts (relevant to the intentional vs. negligent distinction)
| Action | BaFin priority alignment | Evidence to produce |
|---|---|---|
| Register accuracy review | Third-party supervision | Updated Register submission, correction log |
| Contract renegotiation | Art. 30 compliance | Amendment tracker, legal review documentation |
| Concentration risk quantification | Group-level focus | HHI calculation, single-point-of-failure analysis |
| Exit strategy testing | Credibility assessment | Test report, identified alternatives, migration timeline |
| Board briefing | Management body obligations | Board minutes documenting DORA briefing |
| BCP testing with provider failure | Business continuity | Test plan, results, remediation actions |
How BaFin Compares to Other NCAs
BaFin's approach to DORA supervision differs from its peers in several notable ways:
Versus AMF (France). The French supervisor has focused more heavily on incident reporting readiness and TLPT programme establishment. BaFin's concentration risk emphasis reflects Germany's structural reliance on centralized IT providers within banking groups.
Versus Consob/Banca d'Italia (Italy). Italy's EUR 20 million penalty ceiling — four times Germany's — signals a more aggressive deterrent posture. See our penalty divergence analysis for the full picture across all 27 member states. Italy has also been the target of more NoName057 attacks, driving greater attention to cyber resilience.
Versus CSSF (Luxembourg). Luxembourg's focus on cross-border fund managers and their ICT dependencies reflects its market structure. The CSSF has emphasized proportionality for smaller entities more explicitly than BaFin.
Versus CBI (Ireland). Ireland's concentration of EU-headquarters technology companies creates a unique supervisory environment. The CBI's focus on cloud providers as CTPPs is more pronounced than BaFin's, given the structural presence of AWS, Microsoft, and Google in Ireland.
The common thread across all NCAs: 2025 was the observation year. 2026 is the enforcement year. BaFin's August guidance is the bridge between the two.
The Board Dimension: Art. 5 Under German Law
BaFin's guidance reinforces that Art. 5's governance obligations fall directly on the management body — Vorstand in the German corporate structure. The board must approve the ICT risk management framework, ensure adequate resources, and receive regular reporting on ICT risk posture.
German corporate governance law amplifies this obligation. The Geschaeftsleiterpflichten (management duties) under the German Banking Act already impose personal liability for inadequate risk management. DORA's Art. 5 adds a specific layer of ICT risk governance that BaFin will examine independently.
For board members, this means:
- Personal exposure if the institution's ICT risk framework is inadequate
- Obligation to demonstrate ICT risk competence (Art. 5(4) training requirement)
- Responsibility for the institution's concentration risk posture
- Accountability for the credibility of exit strategies and BCP testing
Preparing for What Comes Next
BaFin's August 2025 guidance is not a one-time publication. It is the first in a series of supervisory communications that will progressively tighten expectations as the enforcement regime matures. Institutions that treat it as a compliance checklist rather than a strategic signal will find themselves continuously catching up.
The institutions best positioned for BaFin's evolving expectations are those that treat DORA not as a regulatory burden but as an operational resilience programme — one that produces measurable improvements in their ability to withstand, respond to, and recover from ICT disruptions. BaFin's guidance, read carefully, is not asking institutions to fill in forms. It is asking them to prove that their operational resilience is real.
This analysis reflects BaFin's DORA guidance notes published in August 2025 and the penalty provisions transposed under German law. Specific supervisory expectations may evolve as BaFin publishes additional guidance and initiates examination cycles.